Secure Development Analyst (AppSec / DevSecOps)

We are looking for a Secure Development Analyst to operate and enhance our DevSecOps capabilities, strengthening CI/CD delivery by embedding automated security controls and actionable guidance for engineering teams. You will help keep our Jenkins + Podman ecosystem running smoothly while partnering with developers to reduce risk.

Responsibilities

• Operate DevSecOps infrastructure supporting Veracode scans across the Jenkins + Podman stack
• Maintain and improve CI/CD pipelines by adding automated controls for SAST, SCA, DAST, secret scanning, and container image analysis
• Design security gates that reduce risk while preserving developer velocity
• Integrate and maintain tooling connections across Bitbucket, SonarQube, and JFrog Artifactory
• Triage security findings, prioritize remediation work, and support teams through resolution
• Perform early interventions in agile delivery by conducting design reviews and story reviews against defined standards
• Collaborate with development and architecture teams to promote secure coding practices and consistent implementation of security requirements

Requirements

• 2+ years of experience in AppSec, DevSecOps, DevOps, or development roles with a security focus
• Hands-on experience with Jenkins, including declarative pipelines, shared libraries, and agent management
• Hands-on experience with Podman for containerized build and scan workflows
• Project experience operating and evolving DevSecOps infrastructure supporting SAST/SCA/DAST workflows
• Strong knowledge of secure development frameworks and standards: NIST SSDF (SP 800-218), OWASP ASVS, OWASP SAMM, OWASP Top 10 (Web/API/LLM/Mobile), SEI CERT, MITRE ATT&CK, and CWE Top 25
• Solid understanding of security testing approaches and tools (SAST, SCA, DAST, IAST, and secret scanning)
• Working knowledge of container ecosystems and orchestration (Docker, Kubernetes/OpenShift) and image scanning concepts
• Proficiency with CI/CD and repository integrations such as Bitbucket/Git, SonarQube, and JFrog Artifactory
• Familiarity with cloud platforms (AWS, Azure, or GCP) and CIS Benchmarks
• Skills in development languages and stacks, with the ability to read and analyze source code (Java, Node.js, JavaScript/TypeScript, Python, Go, .NET)
• Knowledge of auth and federation (OIDC, OAuth 2.0, SAML, JWT, mTLS) and IDPs such as Keycloak
• Background in secure transport protocols (SSL/TLS), PKI, and secret management (Vault, secrets managers)
• Threat modeling experience with STRIDE, PASTA, or attack trees
• Knowledge of best practices to prevent attacks (OWASP) and knowledge of common vectors in web applications and APIs
• Good communication skills to explain findings clearly and propose pragmatic fixes
• English proficiency at a B1+ level

Nice to have

• Computer science student or graduate (or related field)
• Experience with Veracode, Checkmarx, Snyk, Semgrep, or GitLeaks

We offer

• International projects with top brands
• Work with global teams of highly skilled, diverse peers
• Healthcare benefits
• Employee financial programs
• Paid time off and sick leave
• Upskilling, reskilling and certification courses
• Unlimited access to the LinkedIn Learning library and 22,000+ courses
• Global career opportunities
• Volunteer and community involvement opportunities
• EPAM Employee Groups
• Award-winning culture recognized by Glassdoor, Newsweek and LinkedIn